insufficient-data and probe-skype Problems

cancel
Showing results for 
Search instead for 
Did you mean: 

insufficient-data and probe-skype Problems

L3 Networker

Hi Guys,

When I'm trying to monitor the traffic via Monitor tab on Palo Alto, i can see insufficient-data under Apllication tab(usin tcp protocol) and probe-skype(using udp protocol).

Who can explain me what means that two applications?I need more info about them.

Thanks

10 REPLIES 10

L7 Applicator

Hello TigranGevorgyan ,

Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake, but that one data packet was not enough to match any of our signatures, then you would see insufficient data in the application field of the traffic log.

If you open the traffic logs and analyze it in details, you will see the number of packets in each direction (server to client and client to server) will be very less.

Secondly, the skype-probe is an application for controlling the probing behaviour of Skype. It is working on a UPD protocol with dynamic port.

Reference DOC

Controlling Skype

Incomplete, Insufficient data and Not-applicable in the application field

Hope this helps.

Thanks

L6 Presenter

Hi Tigran,

Please refer following document for insufficient-data app.

Incomplete, Insufficient data and Not-applicable in the application field

Refer following doc for SKYPE probe.

How to Block SKYPE

Regards,

Hardik Shah

L7 Applicator

Few more related discussion threads for your reference:

Skype

Re: Skype & unknown traffic

Skype-probe rule catching other traffic

tcp

Hope this helps.

Thanks

Good luck controlling skype with the PALO, research using group policy if you are active directory on how to deploy policy to lock things down, this will help you with your attempt to use the PALO app IDS.

L3 Networker

Guys,


Thanks a lot for your support.I'll observe the documentation you gave to me to understand the issue better.


Huge Thanks

Tigran

L3 Networker

Guys i would like to clarify one of the Problems, that has happened this week.I received call from another company, they said that they noticed, that it seemed a udp scan or something like attack from our side.they had our real-ip.and they gave me an ip that we "wanted" to scan.In traffic logs i found the host from where went that traffic, in monitor log the protocol udp, application-Skype probe or insufficient-data.And that takes almost 1 week.then i have disconnect and reconnect the host internet and everything works now fine.Since the restarting the network everything is also ok on the other(other Firma's) side.

Who can help me to understand this mystery Smiley Happy)


Thanks in Advance


Tigran

Could you please let me know what host it was..? As you said "disconnect and reconnect the host internet and everything works fine".

Thanks

Host is the Macbook of one of our developers.I reconnect the internet and Everything solved.

Hello Tigran,

There is a possibility that one or more process on that Macbook was corrupted and it was flooding packets towards random public IP address. Did you check the utilization on that Mac before re-connect the internet..?

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!